Swimming Pools, Pee, and Trying to Delete Your Data from the Internet

jruohonen1 pts0 comments

Troy Hunt: Swimming Pools, Pee, and Trying to Delete Your Data From the Internet

Mastodon

Sponsored by:

I can't recall if someone else originally came up with this saying or if I said it in some off-the-cuff comment and it just propagated, but since it's often attributed back to me, I'll relay it here regardless:<br>Trying to delete yourself from the internet is like trying to take piss out of a swimming pool<br>Depending on the publication, I'll tailor the saying to be either more broadly palatable or more, uh, "Australian", but the sentiment doesn't change: once data spreads on the internet, you can never put a lid on it. This is important in the context of data breaches because it speaks to the immutability of our exposed personal information. It also speaks to the limited practicality of services that promise to erase your data from the internet, and it's the constant outreach from these organisations looking for marketing opportunities on Have I Been Pwned (HIBP) that's prompted me to write this.<br>Let's begin with those services, and because there are so many and I don't want to throw any of them under the bus, I won't name names. I also won't name them because whilst they're rather assertive in their marketing outreach, I do believe they're well-intentioned and I don't want to imply otherwise. And they have a role to play; it's just much more limited than is represented. The positioning is often around "data broker removal services", or "protect my data", or "remove my information from the internet". You'll find various companies providing these services by searching for those terms, or you can search for specific organisations... and find others hijacking the search term as they pay to market their brand in front of others. Usual internet marketing shadiness, of course, but IMHO it speaks volumes about the commercialisation of the data removal business.<br>These services all follow roughly the same marketing handbook:<br>Data brokers have your personal information, which they may obtain via both legitimate and dodgy means<br>It may be used for nefarious purposes such as identity theft, stalking, spam and other privacy violations<br>Pay us, and we'll ask the brokers to remove your data<br>So let's go through these points one by one, starting with the data broker claim, which is absolutely correct. Your data has value - "data is the new oil" - and there's business in obtaining and selling it. I've dealt with many of them personally over the years, primarily because they've had data breaches. Master Deeds in South Africa was massive. National Public data a couple of years ago was many times larger. Exactis, Adapt, and many others have also been added to HIBP over the years. To the best of my knowledge, they're legally operating services, even if they may exist on the fringe of what most of us would consider "a bit dodgy" as far as respecting our personal information goes.<br>Which brings us to the second point about nefarious uses. There is a very broad spectrum of legitimacy across data brokers. Let's pick two extremes as far as the legality of the service goes. On the "very legally operating" end of things, we have Experian, and even if you don't like what they do, there's no arguing the fact that they're on the cleaner end of legitimacy and do provide valid services. At the other end, you have the likes of LeakedSource (and pretty much every other service with the word "Leak" in its name) that... well... just Google them. And there are many, many more at each end and everywhere in between. And a lot of it's very grey: different legal jurisdictions, different means of obtaining data, and different tolerances for adhering to opt-out requests.<br>But it's the data removal piece that's the real problem. If you pay one of the services in question to scrub you from the internet, I have no doubt they'll have some degree of success with the legally operating services. Those services will comply with legal requests and are adequately equipped to receive and process them. But the LeakedSources of the world? Not so much. And that's where the rub begins:<br>Requests to remove personal information are only effective for services that are willing to honour them.<br>That should sound profoundly obvious to anyone reading this now, but it doesn't really feature when you read the marketing material on data removal services. But I'm only just warming up...<br>Imagine trying to remove your data from here:

πŸš¨πŸ‡ΊπŸ‡Έ ShinyHunters has leaked the data of multiple companies...

πŸ‡ΊπŸ‡Έ American Tower Corporation

πŸ‡ΊπŸ‡Έ JCPenney & subsidiaries under Catalyst Brands & Authentic Brands Group

πŸ‡ΊπŸ‡Έ Madison Square Garden Sports Corp.

πŸ‡ΊπŸ‡Έ Ralph Lauren

πŸ‡ΊπŸ‡Έ https://t.co/08IaUnp1sx pic.twitter.com/TvqanSTO1Y<br>β€” Dark Web Informer (@DarkWebInformer) June 16, 2026

That's a small snippet of the ShinyHunters website from a couple of weeks ago. At the time of writing, a bunch more data has been dumped, including only about 15 minutes before putting these words down in the...

data services from internet trying information

Related Articles